jqs[.]exe | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

jqs.exe
Size

157KB
MD5

1325e53e59592ef71ae34325e11d1907
SHA1

9dd3d81689a45abccbdf7e9d60ea4632f932c8ae
SHA256

5faddf8eb9e7b6c6346af27a7617720437b73a75a4dfd1a081fadd15ac4623d3
SHA512

a1edc9d4f79c8be0f973b0bfdacfb1923fa0f2fa0a70beac807a2564c4bf148ff5e23577b2a5408d6ac38bc67c65175c9d0a0949df088b0348e0a84b31437d36
SSDEEP

3072:PYxoX6z6bqmaeI4Vo/hc8ZgLv0s1XwG0+OWfNN0Ov8yDYj6W1e:PY1z6bqmaDhc8GqG0ONN0Ovb82W1e

Score

1^/10

Malware Config

Signatures

Files

jqs.exe
.exe windows x86

ab51c5ed4e68020a4aac68f885f4b988

Code Sign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

15-06-2007 00:00

Not After

14-06-2012 23:59

Subject

CN=VeriSign Time Stamping Services Signer - G2,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04-12-2003 00:00

Not After

03-12-2013 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

65:52:26:e1:b2:2e:18:e1:59:0f:29:85:ac:22:e7:5c
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

21-05-2009 00:00

Not After

20-05-2019 23:59

Subject

CN=VeriSign Class 3 Code Signing 2009-2 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)09,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

5e:f1:dc:1e:fb:1e:46:b5:de:80:ed:e1:76:2a:55:a7
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2009-2 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)09,O=VeriSign\, Inc.,C=US

Not Before

07-07-2010 00:00

Not After

06-07-2013 23:59

Subject

CN=Oracle America\, Inc.,OU=Digital ID Class 3 - Microsoft Software Validation v2+OU=Software Engineering,O=Oracle America\, Inc.,L=Redwood Shores,ST=California,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

af:ea:f1:38:ef:d2:cf:88:ea:3c:6e:03:c9:8b:12:8c:49:ce:e6:da
Signer

Actual PE Digest

af:ea:f1:38:ef:d2:cf:88:ea:3c:6e:03:c9:8b:12:8c:49:ce:e6:da

Digest Algorithm

sha1

PE Digest Matches

true

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=Oracle America\, Inc.,OU=Digital ID Class 3 - Microsoft Software Validation v2+OU=Software Engineering,O=Oracle America\, Inc.,L=Redwood Shores,ST=California,C=US

27-06-2011 10:22
Valid: false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

ws2_32

recv
send
accept
htonl
htons
WSAEventSelect
select
getsockname
connect
listen
bind
socket
WSASetEvent
WSAWaitForMultipleEvents
WSAResetEvent
WSACreateEvent
WSAGetLastError
closesocket
WSACloseEvent
WSACleanup
WSAStartup

msvcr100

getenv
__iob_func
_localtime64
_time64
_vsnprintf
setlocale
strftime
fflush
_endthreadex
_beginthreadex
feof
fgets
tolower
_unlock
__dllonexit
isspace
_onexit
_except_handler4_common
_amsg_exit
__getmainargs
_cexit
_exit
_XcptFilter
__initenv
_initterm
_initterm_e
_configthreadlocale
__setusermatherr
_commode
_fmode
__set_app_type
?terminate@@YAXXZ
?_type_info_dtor_internal_method@type_info@@QAEXXZ
_crt_debugger_hook
_invoke_watson
_controlfp_s
strtod
strtoul
isdigit
_purecall
_strnicmp
exit
_snprintf
fread
ferror
iswspace
isxdigit
sscanf
sprintf_s
memmove_s
strcspn
fclose
strtol
printf
_stat64i32
fopen
_errno
strerror
??0bad_cast@std@@QAE@ABV01@@Z
??1bad_cast@std@@UAE@XZ
??0bad_cast@std@@QAE@PBD@Z
??_U@YAPAXI@Z
localeconv
memset
ldexp
??_V@YAXPAX@Z
free
fprintf
memchr
memcpy
__CxxFrameHandler3
memmove
??0exception@std@@QAE@ABV01@@Z
_CxxThrowException
??2@YAPAXI@Z
??3@YAXPAX@Z
??1exception@std@@UAE@XZ
?what@exception@std@@UBEPBDXZ
??0exception@std@@QAE@ABQBD@Z
__crtLCMapStringA
__pctype_func
isupper
___lc_codepage_func
___lc_handle_func
_calloc_crt
malloc
islower
__uncaught_exception
_free_locale
abort
_lock

kernel32

RaiseException
LocalAlloc
GetCurrentThreadId
GetTickCount
IsDebuggerPresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
TerminateProcess
HeapSetInformation
InterlockedCompareExchange
InterlockedExchange
DecodePointer
EncodePointer
QueryPerformanceFrequency
QueryPerformanceCounter
GetSystemTimeAsFileTime
Sleep
CreateFileMappingA
InterlockedDecrement
MapViewOfFile
LoadLibraryExA
VirtualLock
FindFirstFileA
FindNextFileA
FindClose
DeviceIoControl
SetFilePointer
ReadFile
VirtualUnlock
UnmapViewOfFile
WaitForMultipleObjects
GlobalMemoryStatus
SetConsoleCtrlHandler
GetCurrentProcessId
OpenProcess
SetPriorityClass
CreateEventA
SetEvent
WaitForSingleObject
GetLogicalDrives
QueryDosDeviceA
GetThreadLocale
GetCurrentThread
WideCharToMultiByte
CreateFileA
GetFullPathNameA
GetLongPathNameA
GetModuleFileNameA
CloseHandle
SetErrorMode
GetVersionExA
GetSystemInfo
GetLastError
GetCurrentProcess
GetProcAddress
FreeLibrary
GetSystemDirectoryA
LoadLibraryA
LeaveCriticalSection
EnterCriticalSection
DeleteCriticalSection
InitializeCriticalSection
InterlockedIncrement

Sections

.text
Size: 91KB - Virtual size: 90KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 44KB - Virtual size: 44KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 9KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

ab51c5ed4e68020a4aac68f885f4b988

Code Sign

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5Certificate

Extended Key Usages

Key Usages

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4Certificate

Extended Key Usages

Key Usages

65:52:26:e1:b2:2e:18:e1:59:0f:29:85:ac:22:e7:5cCertificate

Extended Key Usages

Key Usages

5e:f1:dc:1e:fb:1e:46:b5:de:80:ed:e1:76:2a:55:a7Certificate

Extended Key Usages

Key Usages

af:ea:f1:38:ef:d2:cf:88:ea:3c:6e:03:c9:8b:12:8c:49:ce:e6:daSigner

Signature Validations

Verification

27-06-2011 10:22 Valid: false

Headers

DLL Characteristics

File Characteristics

Imports

ws2_32

msvcr100

kernel32

Sections

.text Size: 91KB - Virtual size: 90KB

.rdata Size: 44KB - Virtual size: 44KB

.data Size: 4KB - Virtual size: 6KB

.rsrc Size: 2KB - Virtual size: 1KB

.reloc Size: 9KB - Virtual size: 9KB

38:25:d7:fa:f8:61:af:9e:f4:90:e7:26:b5:d6:5a:d5
Certificate

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

65:52:26:e1:b2:2e:18:e1:59:0f:29:85:ac:22:e7:5c
Certificate

5e:f1:dc:1e:fb:1e:46:b5:de:80:ed:e1:76:2a:55:a7
Certificate

af:ea:f1:38:ef:d2:cf:88:ea:3c:6e:03:c9:8b:12:8c:49:ce:e6:da
Signer

27-06-2011 10:22
Valid: false

.text
Size: 91KB - Virtual size: 90KB

.rdata
Size: 44KB - Virtual size: 44KB

.data
Size: 4KB - Virtual size: 6KB

.rsrc
Size: 2KB - Virtual size: 1KB

.reloc
Size: 9KB - Virtual size: 9KB